US7447650B1 - Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company - Google Patents

Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company Download PDF

Info

Publication number
US7447650B1
US7447650B1 US11/315,995 US31599505A US7447650B1 US 7447650 B1 US7447650 B1 US 7447650B1 US 31599505 A US31599505 A US 31599505A US 7447650 B1 US7447650 B1 US 7447650B1
Authority
US
United States
Prior art keywords
internal controls
sarbanes
oxley
compliance
testing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US11/315,995
Inventor
John Gutierrez
Blake Sellers
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Grant Thornton Advisors LLC
Original Assignee
Avalion Consulting LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Avalion Consulting LLC filed Critical Avalion Consulting LLC
Priority to US11/315,995 priority Critical patent/US7447650B1/en
Assigned to AVVANTICA CONSULTING, LLC reassignment AVVANTICA CONSULTING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GUTIERREZ, JOHN, SELLERS, BLAKE
Assigned to AVALION CONSULTING, LLC reassignment AVALION CONSULTING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AVVANTICA CONSULTING, LLC
Application granted granted Critical
Publication of US7447650B1 publication Critical patent/US7447650B1/en
Assigned to GRANT THORNTON LLP reassignment GRANT THORNTON LLP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AVALION CONSULTING, LLC
Assigned to DEUTSCHE BANK AG NEW YORK BRANCH, AS ADMINISTRATIVE AGENT reassignment DEUTSCHE BANK AG NEW YORK BRANCH, AS ADMINISTRATIVE AGENT PATENT SECURITY AGREEMENT Assignors: GRANT THORNTON ADVISORS LLC
Assigned to GRANT THORNTON ADVISORS LLC reassignment GRANT THORNTON ADVISORS LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GRANT THORNTON LLP
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/06Asset management; Financial planning or analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Definitions

  • the embodiments relate to methods for accelerating Sarbanes-Oxley compliance process for management of a company.
  • the Sarbanes-Oxley Act provides protection to investors and shareholders of public companies by mandating a set of internal procedures regarding corporate accountability, audit requirements, and compliance.
  • the Act covers such issues as establishing a public company accounting oversight board, auditor independence, corporate responsibility and governance, corporate certification requirements, and enhanced financial disclosure including a code of ethics.
  • the Sarbanes-Oxley Act creates an obligation for officers and directors of a company to warrant to their shareholders or to their investors the accuracy of the company's accounting information, the internal controls in place to safeguard the assets of the company, and the validity of the reports and financial statements produced. Accordingly, the Federal Sentencing Commission has significantly enhanced penalties for the more serious corporate crimes, in response to the U.S. federal Sarbanes-Oxley Act.
  • the Sarbanes-Oxley Act codifies a framework of categories of internal controls for regulating accountability, governance, and compliance with regard to the Act, namely, Risk Assessment, Control Environment, Control Activities, Information and Communications, and Monitoring. Although compliance with the Act serves to mitigate, or avoid completely, any opportunities for fraudulent reporting and any associated risks, the more important aspects of the framework of the Sarbanes-Oxley Act are that it provides the benefits of increased corporate integrity and accountability which can lead to increased stock and overall company value.
  • FIG. 1 depicts a flow diagram of a Sarbanes-Oxley compliance process usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • FIG. 2 depicts a diagrammatical plan for defining scope components usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • FIG. 3 depicts a diagrammatical plan for establishing internal controls and operating internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • FIG. 4 depicts a diagrammatical plan for planning, testing, and evaluating the effectiveness of internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • FIG. 5 depicts a diagrammatical plan for remediating ineffective internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • FIG. 6 depicts a diagrammatical plan for monitoring effectiveness of internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • FIG. 7 depicts a diagrammatical plan for Sarbanes-Oxley compliance certification of a company.
  • the embodied methods for accelerating Sarbanes-Oxley compliance in a company can include providing the company with an efficient process for complying with the Sarbanes-Oxley Act and subsequently increasing company integrity.
  • the methods provide the company with real time metrics and an executive dashboard for the management of financial reporting controls structure and of the overall operating controls environment.
  • the methods provide a Sarbanes-Oxley compliance process that can encompass improvements to operation efficiency.
  • the operation efficiency is achieved by reducing the time required to test, remediate, and maintain internal controls by facilitating managerial controls and operations, by evaluating materiality of control deficiencies, and by performing periodic assertions.
  • Compliance to the Sarbanes-Oxley Act provides companies the ability to mitigate, or avoid completely, any fraudulent reporting or associated company procedural risks, which can ultimately strengthen the company's reliability, accountability, and value.
  • the embodiments include defining scope components that can be required for Sarbanes-Oxley compliance by the management of the company.
  • Internal controls can be established for achieving Sarbanes-Oxley compliance with regard to the scope components for the company.
  • Internal controls can be established and can be operated using an internal controls library.
  • the internal controls library includes parameters for determining the effectiveness or ineffectiveness of the internal controls.
  • the internal controls library can be a centralized library both maintained and kept by a third party or kept and controlled by the company.
  • the library is organized by a flexible hierarchy and is organized to reflect how a company wants to represent business entities, functional areas, process ownership, internal control ownership and maintenance throughout their organization. Companies can setup business processes and related controls and then copy, or extend them, to other nodes or business areas in the hierarchy.
  • the third party can store all relevant best practice control characteristics or fields as defined by generally accepted controls frameworks, such as COSO and COBIT.
  • the third party can maintain the library to allow for customizable fields unique to a specific company.
  • the library can be organized to include the ability to capture internal controls test steps in each of the control records.
  • the internal controls library can establish the initial internal controls data, can define all relevant COSO components, can define or copy to relevant internal controls to subsidiaries, and can be integrated with workflow items.
  • test steps are automatically copied into the test details sheet used to facilitate execution of a test and can serve as an audit trail for the testing process.
  • the test steps that are automatically copied into the test details sheet can be based on internal controls specified by a company or can be generalized (for example, the test detail sheet can be automatically generated for all software businesses).
  • the embodied methods can utilize data storage for electronic retention of all supporting evidence, audit work-papers and approvals as native to the testing work-flow and testing library.
  • the methods include planning or designing internal controls and, then, testing the internal controls for the purpose of achieving Sarbanes-Oxley compliance for the scope components for the company.
  • the internal controls are “dynamic”, meaning that the internal controls are to be continuously maintained in order to properly address changes in the business. For example, a company may change in size due to an acquisition or divestiture, a company may modify business organization (for example, consolidated numerous departments into one centralized shared services department), or a company may change technology (for example, consolidated switch from three separate software applications to one centralized, integrated application system) to meet specific business requirements
  • the internal controls are evaluated or compared to the parameters of the internal controls library. If the internal controls are within the parameters of the internal controls library, then the internal controls are deemed effective. If the internal controls do not match or are outside the parameters of the internal controls library, then the internal controls are remediated, modified, or corrected.
  • the purpose of the modification or remediation of the internal controls is to create effective internal controls for achieving Sarbanes-Oxley compliance.
  • the methods can include monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance and, then, certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls.
  • the embodied methods provide management with a discrete set of conclusions regarding the effectiveness those internal controls for specific set of “occurrences” even as the internal controls change.
  • This aspect of the embodied methods solves the problem of a company testing complying once with regard to the Sarbanes-Oxley standards, then believing the company is in compliance after the company has changed.
  • the methods provide a “static” test to continuously or periodically test the dynamic internal controls.
  • FIG. 1 depicts a flow diagram of a Sarbanes-Oxley compliance process ( 5 ) usable in an embodiment of a method for accelerating Sarbanes-Oxley compliance for management of a company.
  • the methods for accelerating the Sarbanes-Oxley compliance process can begin by defining the scope components needed for Sarbanes-Oxley compliance ( 10 ).
  • An example of how the scope components can be defined is by defining the scope components based on an annual basis for achieving and maintaining Sarbanes-Oxley compliance by the company.
  • Another example of how the scope components can be defined is by defining a value for scope components, such as a particular or required process, an entity, a technology, a location, and combinations thereof.
  • the methods can include establishing internal controls for achieving Sarbanes-Oxley compliance for the scope components, and operating the internal controls using an internal controls library ( 15 ).
  • the internal controls library can include established parameters that can be used in planning, designing, testing, and evaluating the internal controls for effectiveness in achieving Sarbanes-Oxley compliance for the scope components ( 20 ).
  • the internal controls associated with the identified scope components are compared to parameters in internal controls library to identify the internal controls that are outside of the parameters so those internal controls can be remediated to create effective internal controls ( 25 ).
  • the scope components for the company can include processes, procedures, technologies, and entities of the company.
  • the methods can include planning and designing corresponding internal controls for the scope components, which can include designing internal controls for testing existing as well as newly created or revised company processes, procedures, and operations.
  • the embodiments of the method include monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance ( 30 ), and certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls ( 35 ).
  • FIG. 2 depicts a diagrammatical plan for defining scope components ( 10 ) usable in a method for accelerating Sarbanes-Oxley compliance for management of a company ( 5 ).
  • the defined scope components can include developing an initial, and annually thereafter, risk assessment for the company and entities within the company, as well as, defining the scope components and internal controls needed by the company for achieving Sarbanes-Oxley compliance ( 40 ).
  • the method includes producing an annual risk assessment report after completion of each annual risk assessment ( 40 ).
  • Accelerating the Sarbanes-Oxley compliance process can include associating a value amount with the defined scope components ( 45 ).
  • the methods continue by reviewing the defined scope components with an external auditor ( 50 ) and validating the defined scope components with the external auditor ( 55 ) in an efficient manner.
  • the defined scope components can be communicated to the company ( 60 ), and a methodology can be maintained for annual compliance as well as the on-going practice of the Sarbanes-Oxley compliance process ( 65 ).
  • FIG. 3 depicts a diagrammatical plan for establishing internal controls and operating internal controls, as depicted in FIG. 1 .
  • the method includes identifying an event, a technology, or combinations thereof, that adds the internal controls ( 80 ) as needed by the company for maintaining Sarbanes-Oxley compliance, as well as identifying an event, a technology, or a combination thereof, that sunsets or discontinues the internal controls ( 85 ) that are no longer needed or required.
  • the methods can include: communicating impact event information when there is a need to change the internal controls ( 90 ), updating the parameters of the internal controls library ( 95 ) to accommodate multiple control frameworks or business changes, and instructing employees to perform one or more activities or one or more steps of each internal control ( 100 ).
  • FIG. 4 depicts a diagrammatical plan for planning, testing, and evaluating the effectiveness of the internal controls ( 20 ), as depicted in FIG. 1 .
  • the methods include the planned steps of designing or planning the internal controls to be used by the company for achieving and maintaining Sarbanes-Oxley compliance, and testing the internal controls for achieving Sarbanes-Oxley compliance for the scope components. Then, the tested internal controls for achieving Sarbanes-Oxley compliance can be evaluated using the parameters of the internal controls library to determine the effective internal controls that are within the parameters, and the ineffective internal controls that are outside the parameters.
  • the embodiments of the method can include defining testing groups and testing cycles for each fiscal year ( 105 ), identifying the internal controls to be tested by each testing group and in each testing cycle ( 110 ), and identifying testing steps for each internal control to be tested ( 115 ).
  • the methods can include requesting evidence of internal controls operations to support testing for each internal control ( 120 ), and preparing and examining the evidence for completeness ( 125 ).
  • the evidence of the internal controls operations can include: an observation, an answer to a query, a document, and combinations thereof.
  • Testing can be performed to test effectiveness of each internal control ( 130 ), and the testing of each internal control can be evaluated using the parameters of the internal controls library ( 135 ) to determine effectiveness of the internal controls.
  • the testing results of the internal controls can be communicated to the management of a company, owners of a company, an audit committee for a company, and combinations thereof ( 140 ).
  • the embodied methods allow for internal controls testing across many testing groups (for example, internal audit, external audit, operational peer review).
  • the number of testing groups can vary, but is usually based on the number of groups the company wants to establish.
  • the testing is further facilitated through flexible testing cycles.
  • the methods can include a testing step, wherein the company can establish many different testing groups, with potential overlap regarding testing off specific controls.
  • These embodied methods differs from other solutions where only one test plan is provided. The company can then use the results from the testing of the different groups in support of a company's overall Sarbanes-Oxley certifications and assertions.
  • the internal controls are “dynamic” in that the internal controls can change as the company changes.
  • the methods can incorporate analyzing the internal controls in various stages as a cycle.
  • the methods can entail applying a rating system in conjunction or not in conjunction with an executive dashboard.
  • the rating system can relate to the various iterative “stages”, or statuses, a control may follow.
  • a stop-light analogy can be used to reflect the status of each specific control at any given time.
  • a high green light or effective status can be given if a control was effective based on the last test result.
  • a low green light or effective status can be given if the same control was effective last time the control was tested and is now scheduled for additional testing.
  • a low red light or ineffective status can be given if the same control tests with exceptions/fails a test.
  • a high red light or ineffective status but showing some incremental progress status can be given if the same control that tested ineffective is now in remediation.
  • a yellow light or ineffective but significantly progressing toward effective status can be given if the same control has now been remediated and is schedule for remediation testing.
  • the green light or effective status can be given if the same control successfully completes remediation testing.
  • FIG. 5 depicts a diagrammatical plan for remediating ineffective internal controls or internal controls that are outside of the parameters of the internal controls library to create effective internal controls ( 25 ), as depicted in FIG. 1 .
  • the embodiments of the method can include the planned steps of determining a need for internal controls remediation ( 145 ) by reviewing designs of the internal controls that failed testing ( 150 ), creating a remediation plan to remedy internal controls that failed testing ( 155 ), and implementing the created remediation plan ( 160 ).
  • the internal controls can be tested ( 165 ) to determine effectiveness, which can include remediation testing, testing of a previously tested internal control, and combinations thereof.
  • the remediation test results of the internal controls can be communicated to the management and the owners of the company ( 170 ).
  • FIG. 6 depicts a diagrammatical plan for monitoring effectiveness of internal controls ( 30 ), as depicted in FIG. 1 .
  • the embodiments of the method for accelerating Sarbanes-Oxley compliance for management of a company can include the planned steps of monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance ( 30 ), and for providing an executive dashboard on a real time basis for achieving Sarbanes-Oxley compliance ( 175 ).
  • the method steps can include: providing a real time display of internal controls in operation ( 180 ), providing a real time display of internal controls testing ( 185 ), providing a real time display of remediation of internal controls ( 190 ), and combinations thereof.
  • the executive dashboard for achieving Sarbanes-Oxley compliance can be transmitted to: a board of directors, an audit committee, an external auditor, and combinations thereof ( 195 ) for review and validation.
  • the embodiments of the method can include updating the executive dashboard consistent with the expansion of the defined scope components required for Sarbanes-Oxley compliance for the company ( 200 ). Further, the method can include, performing a written approval of the executive dashboard for monitoring the internal controls, which can include a sign-off process for management ( 205 ).
  • FIG. 7 depicts a diagrammatical plan for Sarbanes-Oxley compliance certification of the company ( 35 ), as depicted in FIG. 1 .
  • the methods for accelerating Sarbanes-Oxley compliance can include the steps of certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls.
  • the certification process can include managing a sub-certification form completion process that includes: validating compliance process narratives for completeness and accuracy, revising documentation of controls, and facilitating sign-off on sub-certification by management and owners of the company ( 210 ).
  • the certification process is flexible and can include sub-certification and/or multiple levels of sign off.
  • the embodiments can include the next steps of: performing deficiency evaluations on the internal controls that fail as of a certain date ( 215 ), aggregating deficiency evaluation results by financial statement line item ( 220 ), determining effectiveness of internal controls ( 225 ), and reviewing validated results with the external auditor ( 230 ).
  • This can facilitate the Sarbanes-Oxley requirement for the independent or external auditor's review of management testing and subsequently reduce auditing fees.
  • the certification process can include preparing Sarbanes-Oxley compliance certifications and assertions ( 235 ), and preparing financial results reports ( 240 ) or other testing results reports for each management area. Each management area can, then, certify a design or a plan, the maintenance, the testing, and combinations thereof, with regard to the internal controls for their area of the company in achieving and maintaining Sarbanes-Oxley compliance.
  • the annual certification process can conclude by issuing financial reports with Sarbanes-Oxley compliance results ( 245 ) for the year, which then complies with the on-going Sarbanes-Oxley compliance process.
  • the methods can further include steps directed toward establishing year-end evaluation of ineffective controls process. All supporting evidence, audit work-papers and approvals associated with the steps of establishing Sarbanes-Oxley compliance can be codified.
  • the codified result takes the complex audit evaluation process and creates an output that a “layman” or non-audit experienced staff member, process owner and/or executive, can easily follow.
  • the methods provide functionality for management to aggregate individual deficiencies to determine if the company collectively has a significant deficiency or material weakness. For example, the methods can create a report that presents the five deficient controls related to Capital Leases, thereby enabling management to create an opinion as to the collective impact that the deficiencies may have on financial reporting.
  • the codified results from the embodied methods facilitate Sarbanes-Oxley compliance process since the codified result serves as supporting evidence for a company's Sarbanes-Oxley compliance assertion.
  • the methods can include a request for evidence process and metrics for facilitating controls testing.
  • the methods can identify specific evidence required to test the operational effectiveness of a control and can build a detailed audit-trail of the test.
  • the methods can capture electronic copies of information supplied for a specific controls test and can establish key metrics to enable accountability within the organization. All requests for evidence can be time stamped in the system and then “aged” by how long it takes to supply the tester with the requested information.
  • the request of evidence process can automatically generate e-mail requests for evidence and can generate random sample selections. Evidence that further supports the test that an internal control is effective can be uploaded.
  • the request for evidence can include uploading the data and test details into the internal controls library.
  • the embodied methods can include tracking the remediation process for ineffective internal controls.
  • the ineffective internal controls can be tracked in order to identify, understand, and document a root cause for failure of a control.
  • Tracking the remediation process can include an automatic generation of a request for remediation after each ineffective test.
  • the request for remediation can be directed to the process owner for validation and/or approval.
  • Tracking the remediation process can include updating a controls master data to reflect that the ineffective internal control is “in remediation.”
  • the methods can include flexible parameters to allow management to manage the process requesting requests for remediation using metrics, such as aging. Tracking the remediation process can include following a “next occurrence” methodology and can be used to establish an audit trail with work-flow history.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Development Economics (AREA)
  • Technology Law (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Game Theory and Decision Science (AREA)
  • Human Resources & Organizations (AREA)
  • Operations Research (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method for accelerating Sarbanes-Oxley (SOX) compliance for management of a company is disclosed. The methodology employs a method that includes defining scope components needed for Sarbanes-Oxley compliance by the company, establishing internal controls for achieving Sarbanes-Oxley compliance for the scope components, and operating the internal controls using an internal controls library comprising parameters to be used in planning, testing, and evaluating the internal controls for achieving Sarbanes-Oxley compliance for the scope components. Internal controls for achieving Sarbanes-Oxley compliance, which are outside of the parameters of the internal controls library, are remediated to create effective internal controls. The method includes monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance, and certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls.

Description

FIELD
The embodiments relate to methods for accelerating Sarbanes-Oxley compliance process for management of a company.
BACKGROUND
Significant changes to corporate governance and accountability occurred in fiscal year 2002 with the approval of the United States (U.S.) federal Sarbanes-Oxley Act (SOX). Officially titled the Public Company Accounting Reform and Investor Protection Act and signed into law on Jul. 30, 2002, the Sarbanes-Oxley Act was approved for the purpose of improving the accuracy, integrity, and reliability of corporate disclosures and governance as well as regulation with regard to United States securities laws.
The Sarbanes-Oxley Act provides protection to investors and shareholders of public companies by mandating a set of internal procedures regarding corporate accountability, audit requirements, and compliance. The Act covers such issues as establishing a public company accounting oversight board, auditor independence, corporate responsibility and governance, corporate certification requirements, and enhanced financial disclosure including a code of ethics. Further, the Sarbanes-Oxley Act creates an obligation for officers and directors of a company to warrant to their shareholders or to their investors the accuracy of the company's accounting information, the internal controls in place to safeguard the assets of the company, and the validity of the reports and financial statements produced. Accordingly, the Federal Sentencing Commission has significantly enhanced penalties for the more serious corporate crimes, in response to the U.S. federal Sarbanes-Oxley Act.
The Sarbanes-Oxley Act codifies a framework of categories of internal controls for regulating accountability, governance, and compliance with regard to the Act, namely, Risk Assessment, Control Environment, Control Activities, Information and Communications, and Monitoring. Although compliance with the Act serves to mitigate, or avoid completely, any opportunities for fraudulent reporting and any associated risks, the more important aspects of the framework of the Sarbanes-Oxley Act are that it provides the benefits of increased corporate integrity and accountability which can lead to increased stock and overall company value.
Compliance with the Sarbanes-Oxley Act is accordingly an urgent issue for many public companies, particularly the companies that lack knowledge of the Act or that lack the management expertise or capabilities for addressing the Sarbanes-Oxley requirements and implementation of the internal controls for Sarbanes-Oxley compliance.
A need exists for methods for accelerating the process to efficiently establish Sarbanes-Oxley compliance within a company.
A need exists for methods to establish and implement efficiently internal controls testing and monitoring within a company to mitigate any assessed company risks and to provide improvements for company management and operations in compliance with the Sarbanes-Oxley Act.
The present embodiments meet these needs.
BRIEF DESCRIPTION OF THE DRAWINGS
The detailed description will be better understood in conjunction with the accompanying drawings as follows:
FIG. 1 depicts a flow diagram of a Sarbanes-Oxley compliance process usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
FIG. 2 depicts a diagrammatical plan for defining scope components usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
FIG. 3 depicts a diagrammatical plan for establishing internal controls and operating internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
FIG. 4 depicts a diagrammatical plan for planning, testing, and evaluating the effectiveness of internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
FIG. 5 depicts a diagrammatical plan for remediating ineffective internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
FIG. 6 depicts a diagrammatical plan for monitoring effectiveness of internal controls usable in a method for accelerating Sarbanes-Oxley compliance for management of a company.
FIG. 7 depicts a diagrammatical plan for Sarbanes-Oxley compliance certification of a company.
The present embodiments are detailed below with reference to the listed Figures.
DETAILED DESCRIPTION OF THE EMBODIMENTS
Before explaining the present embodiments in detail, it is to be understood that the embodiments are not limited to the particular embodiments and that they can be practiced or carried out in various ways.
The embodied methods for accelerating Sarbanes-Oxley compliance in a company can include providing the company with an efficient process for complying with the Sarbanes-Oxley Act and subsequently increasing company integrity. The methods provide the company with real time metrics and an executive dashboard for the management of financial reporting controls structure and of the overall operating controls environment. In addition, the methods provide a Sarbanes-Oxley compliance process that can encompass improvements to operation efficiency. The operation efficiency is achieved by reducing the time required to test, remediate, and maintain internal controls by facilitating managerial controls and operations, by evaluating materiality of control deficiencies, and by performing periodic assertions. Compliance to the Sarbanes-Oxley Act provides companies the ability to mitigate, or avoid completely, any fraudulent reporting or associated company procedural risks, which can ultimately strengthen the company's reliability, accountability, and value.
The embodiments include defining scope components that can be required for Sarbanes-Oxley compliance by the management of the company. Internal controls can be established for achieving Sarbanes-Oxley compliance with regard to the scope components for the company. Internal controls can be established and can be operated using an internal controls library. The internal controls library includes parameters for determining the effectiveness or ineffectiveness of the internal controls.
The internal controls library can be a centralized library both maintained and kept by a third party or kept and controlled by the company. In one embodiment of the library, the library is organized by a flexible hierarchy and is organized to reflect how a company wants to represent business entities, functional areas, process ownership, internal control ownership and maintenance throughout their organization. Companies can setup business processes and related controls and then copy, or extend them, to other nodes or business areas in the hierarchy. If the third party maintains the library, the third party can store all relevant best practice control characteristics or fields as defined by generally accepted controls frameworks, such as COSO and COBIT. The third party can maintain the library to allow for customizable fields unique to a specific company. The library can be organized to include the ability to capture internal controls test steps in each of the control records. The internal controls library can establish the initial internal controls data, can define all relevant COSO components, can define or copy to relevant internal controls to subsidiaries, and can be integrated with workflow items.
From the internal controls library, automated generation of controls test details sheets, pre-populated with information, can be created. Standard internal control can be stored in the internal controls library. To increase the efficiency of the testing process, the test steps are automatically copied into the test details sheet used to facilitate execution of a test and can serve as an audit trail for the testing process. The test steps that are automatically copied into the test details sheet can be based on internal controls specified by a company or can be generalized (for example, the test detail sheet can be automatically generated for all software businesses).
The embodied methods can utilize data storage for electronic retention of all supporting evidence, audit work-papers and approvals as native to the testing work-flow and testing library.
The methods include planning or designing internal controls and, then, testing the internal controls for the purpose of achieving Sarbanes-Oxley compliance for the scope components for the company. Throughout the methods, the internal controls are “dynamic”, meaning that the internal controls are to be continuously maintained in order to properly address changes in the business. For example, a company may change in size due to an acquisition or divestiture, a company may modify business organization (for example, consolidated numerous departments into one centralized shared services department), or a company may change technology (for example, consolidated switch from three separate software applications to one centralized, integrated application system) to meet specific business requirements
The internal controls are evaluated or compared to the parameters of the internal controls library. If the internal controls are within the parameters of the internal controls library, then the internal controls are deemed effective. If the internal controls do not match or are outside the parameters of the internal controls library, then the internal controls are remediated, modified, or corrected. The purpose of the modification or remediation of the internal controls is to create effective internal controls for achieving Sarbanes-Oxley compliance. The methods can include monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance and, then, certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls.
Regarding the Sarbanes-Oxley requirement for companies to test their system of internal controls, the embodied methods provide management with a discrete set of conclusions regarding the effectiveness those internal controls for specific set of “occurrences” even as the internal controls change. This aspect of the embodied methods solves the problem of a company testing complying once with regard to the Sarbanes-Oxley standards, then believing the company is in compliance after the company has changed. The methods provide a “static” test to continuously or periodically test the dynamic internal controls.
With regard to the figures, FIG. 1 depicts a flow diagram of a Sarbanes-Oxley compliance process (5) usable in an embodiment of a method for accelerating Sarbanes-Oxley compliance for management of a company. The methods for accelerating the Sarbanes-Oxley compliance process can begin by defining the scope components needed for Sarbanes-Oxley compliance (10). An example of how the scope components can be defined is by defining the scope components based on an annual basis for achieving and maintaining Sarbanes-Oxley compliance by the company. Another example of how the scope components can be defined is by defining a value for scope components, such as a particular or required process, an entity, a technology, a location, and combinations thereof.
The methods can include establishing internal controls for achieving Sarbanes-Oxley compliance for the scope components, and operating the internal controls using an internal controls library (15). The internal controls library can include established parameters that can be used in planning, designing, testing, and evaluating the internal controls for effectiveness in achieving Sarbanes-Oxley compliance for the scope components (20). The internal controls associated with the identified scope components are compared to parameters in internal controls library to identify the internal controls that are outside of the parameters so those internal controls can be remediated to create effective internal controls (25). The scope components for the company can include processes, procedures, technologies, and entities of the company. The methods can include planning and designing corresponding internal controls for the scope components, which can include designing internal controls for testing existing as well as newly created or revised company processes, procedures, and operations.
The embodiments of the method include monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance (30), and certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls (35).
FIG. 2 depicts a diagrammatical plan for defining scope components (10) usable in a method for accelerating Sarbanes-Oxley compliance for management of a company (5). The defined scope components can include developing an initial, and annually thereafter, risk assessment for the company and entities within the company, as well as, defining the scope components and internal controls needed by the company for achieving Sarbanes-Oxley compliance (40). The method includes producing an annual risk assessment report after completion of each annual risk assessment (40).
Accelerating the Sarbanes-Oxley compliance process can include associating a value amount with the defined scope components (45). The methods continue by reviewing the defined scope components with an external auditor (50) and validating the defined scope components with the external auditor (55) in an efficient manner. The defined scope components can be communicated to the company (60), and a methodology can be maintained for annual compliance as well as the on-going practice of the Sarbanes-Oxley compliance process (65).
FIG. 3 depicts a diagrammatical plan for establishing internal controls and operating internal controls, as depicted in FIG. 1. The planned steps of defining one or more activities and one or more steps of each internal control (70) with regard to the company for achieving and maintaining Sarbanes-Oxley compliance, and identifying an event, a technology, or combinations thereof, that creates a requirement to change one or more activities or one or more steps of each internal control (75). The method includes identifying an event, a technology, or combinations thereof, that adds the internal controls (80) as needed by the company for maintaining Sarbanes-Oxley compliance, as well as identifying an event, a technology, or a combination thereof, that sunsets or discontinues the internal controls (85) that are no longer needed or required. The methods can include: communicating impact event information when there is a need to change the internal controls (90), updating the parameters of the internal controls library (95) to accommodate multiple control frameworks or business changes, and instructing employees to perform one or more activities or one or more steps of each internal control (100).
FIG. 4 depicts a diagrammatical plan for planning, testing, and evaluating the effectiveness of the internal controls (20), as depicted in FIG. 1. The methods include the planned steps of designing or planning the internal controls to be used by the company for achieving and maintaining Sarbanes-Oxley compliance, and testing the internal controls for achieving Sarbanes-Oxley compliance for the scope components. Then, the tested internal controls for achieving Sarbanes-Oxley compliance can be evaluated using the parameters of the internal controls library to determine the effective internal controls that are within the parameters, and the ineffective internal controls that are outside the parameters.
The embodiments of the method can include defining testing groups and testing cycles for each fiscal year (105), identifying the internal controls to be tested by each testing group and in each testing cycle (110), and identifying testing steps for each internal control to be tested (115). The methods can include requesting evidence of internal controls operations to support testing for each internal control (120), and preparing and examining the evidence for completeness (125). The evidence of the internal controls operations can include: an observation, an answer to a query, a document, and combinations thereof. Testing can be performed to test effectiveness of each internal control (130), and the testing of each internal control can be evaluated using the parameters of the internal controls library (135) to determine effectiveness of the internal controls. The testing results of the internal controls can be communicated to the management of a company, owners of a company, an audit committee for a company, and combinations thereof (140).
The embodied methods allow for internal controls testing across many testing groups (for example, internal audit, external audit, operational peer review). The number of testing groups can vary, but is usually based on the number of groups the company wants to establish. The testing is further facilitated through flexible testing cycles. In one embodiment, the methods can include a testing step, wherein the company can establish many different testing groups, with potential overlap regarding testing off specific controls. These embodied methods differs from other solutions where only one test plan is provided. The company can then use the results from the testing of the different groups in support of a company's overall Sarbanes-Oxley certifications and assertions.
As discussed above, the internal controls are “dynamic” in that the internal controls can change as the company changes. In testing the internal controls, the methods can incorporate analyzing the internal controls in various stages as a cycle. The methods can entail applying a rating system in conjunction or not in conjunction with an executive dashboard. The rating system can relate to the various iterative “stages”, or statuses, a control may follow.
As an example, a stop-light analogy can be used to reflect the status of each specific control at any given time. A high green light or effective status can be given if a control was effective based on the last test result. A low green light or effective status can be given if the same control was effective last time the control was tested and is now scheduled for additional testing. A low red light or ineffective status can be given if the same control tests with exceptions/fails a test. A high red light or ineffective status but showing some incremental progress status can be given if the same control that tested ineffective is now in remediation. A yellow light or ineffective but significantly progressing toward effective status can be given if the same control has now been remediated and is schedule for remediation testing. The green light or effective status can be given if the same control successfully completes remediation testing. The embodied methods allow for different flexible parameters for standard testing versus remediation testing contemplated within these embodiments. Different rules can be used and considered effective under the different testing contemplated.
FIG. 5 depicts a diagrammatical plan for remediating ineffective internal controls or internal controls that are outside of the parameters of the internal controls library to create effective internal controls (25), as depicted in FIG. 1. The embodiments of the method can include the planned steps of determining a need for internal controls remediation (145) by reviewing designs of the internal controls that failed testing (150), creating a remediation plan to remedy internal controls that failed testing (155), and implementing the created remediation plan (160). After implementing the created remediation plan, the internal controls can be tested (165) to determine effectiveness, which can include remediation testing, testing of a previously tested internal control, and combinations thereof. The remediation test results of the internal controls can be communicated to the management and the owners of the company (170).
FIG. 6 depicts a diagrammatical plan for monitoring effectiveness of internal controls (30), as depicted in FIG. 1. The embodiments of the method for accelerating Sarbanes-Oxley compliance for management of a company can include the planned steps of monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley compliance (30), and for providing an executive dashboard on a real time basis for achieving Sarbanes-Oxley compliance (175). In providing the executive dashboard on a real time basis for monitoring the internal controls, the method steps can include: providing a real time display of internal controls in operation (180), providing a real time display of internal controls testing (185), providing a real time display of remediation of internal controls (190), and combinations thereof. Next, the executive dashboard for achieving Sarbanes-Oxley compliance can be transmitted to: a board of directors, an audit committee, an external auditor, and combinations thereof (195) for review and validation.
The embodiments of the method can include updating the executive dashboard consistent with the expansion of the defined scope components required for Sarbanes-Oxley compliance for the company (200). Further, the method can include, performing a written approval of the executive dashboard for monitoring the internal controls, which can include a sign-off process for management (205).
FIG. 7 depicts a diagrammatical plan for Sarbanes-Oxley compliance certification of the company (35), as depicted in FIG. 1. The methods for accelerating Sarbanes-Oxley compliance can include the steps of certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley compliance using the monitored internal controls and remediated internal controls. The certification process can include managing a sub-certification form completion process that includes: validating compliance process narratives for completeness and accuracy, revising documentation of controls, and facilitating sign-off on sub-certification by management and owners of the company (210). The certification process is flexible and can include sub-certification and/or multiple levels of sign off.
The embodiments can include the next steps of: performing deficiency evaluations on the internal controls that fail as of a certain date (215), aggregating deficiency evaluation results by financial statement line item (220), determining effectiveness of internal controls (225), and reviewing validated results with the external auditor (230). This can facilitate the Sarbanes-Oxley requirement for the independent or external auditor's review of management testing and subsequently reduce auditing fees. The certification process can include preparing Sarbanes-Oxley compliance certifications and assertions (235), and preparing financial results reports (240) or other testing results reports for each management area. Each management area can, then, certify a design or a plan, the maintenance, the testing, and combinations thereof, with regard to the internal controls for their area of the company in achieving and maintaining Sarbanes-Oxley compliance.
Finally, the annual certification process can conclude by issuing financial reports with Sarbanes-Oxley compliance results (245) for the year, which then complies with the on-going Sarbanes-Oxley compliance process.
The methods can further include steps directed toward establishing year-end evaluation of ineffective controls process. All supporting evidence, audit work-papers and approvals associated with the steps of establishing Sarbanes-Oxley compliance can be codified. The codified result takes the complex audit evaluation process and creates an output that a “layman” or non-audit experienced staff member, process owner and/or executive, can easily follow. In addition to codifying the complex, individual controls deficiency evaluating process, the methods provide functionality for management to aggregate individual deficiencies to determine if the company collectively has a significant deficiency or material weakness. For example, the methods can create a report that presents the five deficient controls related to Capital Leases, thereby enabling management to create an opinion as to the collective impact that the deficiencies may have on financial reporting. The codified results from the embodied methods facilitate Sarbanes-Oxley compliance process since the codified result serves as supporting evidence for a company's Sarbanes-Oxley compliance assertion.
In establishing an audit trail, the methods can include a request for evidence process and metrics for facilitating controls testing. The methods can identify specific evidence required to test the operational effectiveness of a control and can build a detailed audit-trail of the test. The methods can capture electronic copies of information supplied for a specific controls test and can establish key metrics to enable accountability within the organization. All requests for evidence can be time stamped in the system and then “aged” by how long it takes to supply the tester with the requested information. The request of evidence process can automatically generate e-mail requests for evidence and can generate random sample selections. Evidence that further supports the test that an internal control is effective can be uploaded. The request for evidence can include uploading the data and test details into the internal controls library.
In furtherance of establishing an audit trail, the embodied methods can include tracking the remediation process for ineffective internal controls. The ineffective internal controls can be tracked in order to identify, understand, and document a root cause for failure of a control. Tracking the remediation process can include an automatic generation of a request for remediation after each ineffective test. The request for remediation can be directed to the process owner for validation and/or approval. Tracking the remediation process can include updating a controls master data to reflect that the ineffective internal control is “in remediation.” The methods can include flexible parameters to allow management to manage the process requesting requests for remediation using metrics, such as aging. Tracking the remediation process can include following a “next occurrence” methodology and can be used to establish an audit trail with work-flow history.
While these embodiments have been described with emphasis on the embodiments, it should be understood that within the scope of the appended claims, the embodiments might be practiced other than as specifically described herein.

Claims (18)

1. A method for accelerating a Sarbanes-Oxley (SOX) compliance process for management of a company, wherein the method comprises:
a. Using a computer processor to perform steps of:
(i). defining scope components needed for Sarbanes-Oxley (SOX) compliance;
(ii). establishing internal controls for achieving Sarbanes-Oxley (SOX) compliance for the scope components and operating the internal controls using dynamic internal controls library comprising parameters;
(iii). planning and testing the internal controls for achieving Sarbanes-Oxley (SOX) compliance for the scope components and evaluating the internal controls for achieving Sarbanes-Oxley (SOX) compliance using the parameters of the dynamic internal controls library;
(iv). remediating the internal controls for achieving Sarbanes-Oxley (SOX) compliance that are outside of the parameters of the internal controls library to maintain effective internal controls;
(v). monitoring the internal controls and the remediating of the internal controls on a real time basis for achieving Sarbanes-Oxley (SOX) compliance, wherein the step of monitoring the internal controls and the remediating of the internal controls comprises providing an executive dashboard on a real time basis for achieving Sarbanes-Oxley (SOX) compliance; and
(vi). certifying the company by preparing certifications, assertions, and reports relative to the achieved Sarbanes-Oxley (SOX) compliance using the monitored internal controls and remediated internal controls.
2. The method of claim 1, wherein the step of defining scope components comprises developing an annual risk assessment for entities within the defined scope components for Sarbanes-Oxley (SOX) compliance and creating an annual risk assessment report.
3. The method of claim 1, wherein the step of defining scope components comprises associating a value amount for achieving Sarbanes-Oxley compliance for a company with the defined scope component.
4. The method of claim 3, wherein the step of defining value for scope components comprises defining a member selected from the group consisting of: a process, an entity, a technology, a location, and combinations thereof.
5. The method of claim 1, wherein the step of defining scope components comprises a member selected from the group consisting of: reviewing the defined scope components with an external auditor, validating the defined scope components with the external auditor, communicating the defined scope components to a company, maintaining a methodology for completing a Sarbanes-Oxley (SOX) compliance process, and combinations thereof.
6. The method of claim 1, wherein the step of establishing internal controls and operating internal controls comprises:
a. defining at least one activity and at least one step of each internal control;
b. identifying an event, a technology, or combinations thereof, that creates a requirement to change at least one activity or at least one step of each internal control;
c. identifying an event, a technology, or combinations thereof, that adds at least one internal control;
d. identifying an event, a technology, or a combination thereof, that sunsets at least one internal control;
e. communicating impact event information when there is a need to change the internal controls;
f. updating the parameters of the internal controls library; and
instructing employees to perform at least one activity or at least one step of each internal control.
7. The method of claim 1, wherein the step of planning, testing, and evaluating internal controls for achieving Sarbanes-Oxley (SOX) compliance comprises:
a. defining testing groups and testing cycles for each fiscal year;
b. identifying internal controls to be tested by each testing group and in each testing cycle;
c. identifying testing steps for each internal control to be tested;
d. requesting evidence of internal controls operations to support testing steps for each internal control;
e. examining evidence for completeness;
f. performing testing steps to test effectiveness of each internal control;
g. evaluating testing of each internal control using parameters of internal controls library; and
h. communicating testing results of the internal controls to a member selected from the group consisting of: management of a company, owners of a company, audit committee for a company, and combinations thereof.
8. The method of claim 7, wherein the evidence of internal controls operations comprises a member selected from the group consisting of: an observation, an answer to a query, a document validating performance of the internal controls, and combinations thereof.
9. The method of claim 1, wherein the internal controls testing comprises a member selected from the group consisting of: remediation testing, testing of a previously tested internal control, or combinations thereof.
10. The method of claim 1, wherein the step of remediating the internal controls for achieving Sarbanes-Oxley (SOX) compliance further comprises determining a need for internal controls remediation.
11. The method of claim 1, wherein the step of remediating internal controls when a need is determined comprises:
a. reviewing designs of the internal controls that failed testing of the internal controls;
b. creating a remediation plan to remedy internal controls that failed testing;
c. implementing the created remediation plan;
d. testing the internal controls after implementing the created remediation plan; and
e. communicating remediation test results of the internal controls to the management and owners of the company.
12. The method of claim 1, wherein the step of providing the executive dashboard on a real time basis for achieving Sarbanes-Oxley (SOX) compliance comprises a member selected from the group consisting of: providing a real time display of internal controls operation, providing a real time display of internal controls testing, providing a real time display of remediation of internal controls, reporting on a request for remediation status, reporting on a request for evidence status, providing an deficiency evaluation on the performance of the internal controls, and combinations thereof.
13. The method of claim 1, wherein the step of providing the executive dashboard on a real time basis for achieving Sarbanes-Oxley compliance comprises transmitting the executive dashboard on a real time basis to a member selected from the group consisting of: a board of directors, an audit committee, an external auditor, and combinations thereof.
14. The method of claim 1, wherein the step of providing the executive dashboard on a real time basis for achieving Sarbanes-Oxley compliance comprises updating the executive dashboard consistent with the expansion of the defined scope components required for Sarbanes-Oxley (SOX) compliance for a company.
15. The method of claim 1, wherein the step of providing the executive dashboard further comprises performing a written approval and sign-off process.
16. The method of claim 1, wherein the step of performing a certification comprises:
a. performing deficiency evaluations on the internal controls that fail as of a certain date;
b. aggregating deficiency evaluation results using items from the controls library;
c. determining effectiveness of internal controls;
d. reviewing validated results with the external auditor;
e. preparing Sarbanes-Oxley (SOX) compliance certifications and assertions;
f. preparing financial results reports;
g. issuing financial reports with Sarbanes-Oxley (SOX) compliance results.
17. The method of claim 16, further comprising the step of performing the certification process by managing a sub-certification form completion process comprising: validating process narratives for completeness accuracy, revising documentation of the effectiveness of the operation of the internal controls, and facilitating sign-off on sub-certification by management and owners of the company.
18. The method of claim 1, further comprising the step of performing the certification and assertion process by each management area certifying a member selected from the group consisting of: a design, maintenance, testing, and combinations thereof, of internal controls for Sarbanes-Oxley compliance.
US11/315,995 2005-12-22 2005-12-22 Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company Expired - Fee Related US7447650B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/315,995 US7447650B1 (en) 2005-12-22 2005-12-22 Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/315,995 US7447650B1 (en) 2005-12-22 2005-12-22 Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company

Publications (1)

Publication Number Publication Date
US7447650B1 true US7447650B1 (en) 2008-11-04

Family

ID=39916564

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/315,995 Expired - Fee Related US7447650B1 (en) 2005-12-22 2005-12-22 Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company

Country Status (1)

Country Link
US (1) US7447650B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080015978A1 (en) * 2006-06-14 2008-01-17 Curry Edith L Methods of monitoring behavior/activity of an individual associated with an organization
US20090187437A1 (en) * 2008-01-18 2009-07-23 Spradling L Scott Method and system for auditing internal controls
US20160110664A1 (en) * 2014-10-21 2016-04-21 Unisys Corporation Determining levels of compliance based on principles and points of focus
US11514335B2 (en) 2016-09-26 2022-11-29 International Business Machines Corporation Root cause identification in audit data

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050065839A1 (en) * 2003-09-22 2005-03-24 Debra Benson Methods, systems and computer program products for generating an aggregate report to provide a certification of controls associated with a data set
US20050138031A1 (en) * 2003-12-05 2005-06-23 Wefers Wolfgang M. Systems and methods for assigning task-oriented roles to users
US20050228685A1 (en) * 2004-04-07 2005-10-13 Simpliance, Inc. Method and system for rule-base compliance, certification and risk mitigation
US20060059026A1 (en) * 2004-08-24 2006-03-16 Oracle International Corporation Compliance workbench
US20060129441A1 (en) * 2004-07-10 2006-06-15 Movaris Inc. Apparatus, method, and system for documenting, performing, and attesting to internal controls for an enterprise
US20060212487A1 (en) * 2005-03-21 2006-09-21 Kennis Peter H Methods and systems for monitoring transaction entity versions for policy compliance
US20060259316A1 (en) * 2005-04-26 2006-11-16 Npsox.Com Llc Sarbanes-Oxley compliance system
US20070055596A1 (en) * 2005-08-26 2007-03-08 Movaris, Inc System for preparing financial disclosures by unifying financial close and financial control steps
US20070078701A1 (en) * 2005-09-30 2007-04-05 Karol Bliznak Systems and methods for managing internal controls with import interface for external test results
US20070233508A1 (en) * 2004-05-05 2007-10-04 David Gillespie Corporate Control Management Software

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050065839A1 (en) * 2003-09-22 2005-03-24 Debra Benson Methods, systems and computer program products for generating an aggregate report to provide a certification of controls associated with a data set
US20050138031A1 (en) * 2003-12-05 2005-06-23 Wefers Wolfgang M. Systems and methods for assigning task-oriented roles to users
US20050228685A1 (en) * 2004-04-07 2005-10-13 Simpliance, Inc. Method and system for rule-base compliance, certification and risk mitigation
US20070233508A1 (en) * 2004-05-05 2007-10-04 David Gillespie Corporate Control Management Software
US20060129441A1 (en) * 2004-07-10 2006-06-15 Movaris Inc. Apparatus, method, and system for documenting, performing, and attesting to internal controls for an enterprise
US20060059026A1 (en) * 2004-08-24 2006-03-16 Oracle International Corporation Compliance workbench
US20060212487A1 (en) * 2005-03-21 2006-09-21 Kennis Peter H Methods and systems for monitoring transaction entity versions for policy compliance
US20060259316A1 (en) * 2005-04-26 2006-11-16 Npsox.Com Llc Sarbanes-Oxley compliance system
US20070055596A1 (en) * 2005-08-26 2007-03-08 Movaris, Inc System for preparing financial disclosures by unifying financial close and financial control steps
US20070078701A1 (en) * 2005-09-30 2007-04-05 Karol Bliznak Systems and methods for managing internal controls with import interface for external test results

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MetricStreams Press Release (www. metricstream.com/pressNews/pressrelease<SUB>-</SUB>41.htm): Advanced Equities selects MetricStreams for Sarbanes-Oxley Compliance, May 11, 2005, pp. 1-2. *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080015978A1 (en) * 2006-06-14 2008-01-17 Curry Edith L Methods of monitoring behavior/activity of an individual associated with an organization
US8285636B2 (en) * 2006-06-14 2012-10-09 Curry Edith L Methods of monitoring behavior/activity of an individual associated with an organization
US20120330821A1 (en) * 2006-06-14 2012-12-27 Curry Edith L Methods of monitoring behavior/activity of an individual associated with an organization
US8666884B2 (en) * 2006-06-14 2014-03-04 Edith L. CURRY Methods of monitoring behavior/activity of an individual associated with an organization
US20090187437A1 (en) * 2008-01-18 2009-07-23 Spradling L Scott Method and system for auditing internal controls
US8504452B2 (en) * 2008-01-18 2013-08-06 Thomson Reuters Global Resources Method and system for auditing internal controls
US20160110664A1 (en) * 2014-10-21 2016-04-21 Unisys Corporation Determining levels of compliance based on principles and points of focus
US11514335B2 (en) 2016-09-26 2022-11-29 International Business Machines Corporation Root cause identification in audit data

Similar Documents

Publication Publication Date Title
Abrams et al. Optimized enterprise risk management
US7505933B1 (en) System for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company
Yatim Audit committee characteristics and risk management of Malaysian listed firms
Zhang et al. Construction small-projects rework reduction for capital facilities
US20150356477A1 (en) Method and system for technology risk and control
US20090265200A1 (en) System and Method for Governance, Risk, and Compliance Management
Pojasek Understanding sustainability: An organizational perspective.
Lakner et al. Reliability Engineering for Nuclear and Other High Technology Systems (1985): A practical guide
US20050065839A1 (en) Methods, systems and computer program products for generating an aggregate report to provide a certification of controls associated with a data set
US20130030860A1 (en) Managing inspection, test, analys, and acceptance criteria (itaac) activities, systems and methods
Karagiannis A Business Process-Based Modelling Extension for Regulatory Compliance.
Crespo et al. The evolution of model risk management
US7447650B1 (en) Method for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company
US7454375B1 (en) Computer readable medium for accelerating Sarbanes-Oxley (SOX) compliance process for management of a company
Namiri et al. A formal approach for internal controls compliance in business processes
Sadiq et al. A methodological framework for aligning business processes and regulatory compliance
Risk Enterprise Risk Management
Malki et al. Enterprise risk management at the State University of New York: A benchmark for Saudi universities
Pearson et al. Towards An Ethics-Audit Bot
Goman An extended analysis of risk management concepts in IT management frameworks
Juras et al. Adapting Six Sigma to help tame the SOX 404 compliance beast
Doherty et al. Sustainable HSE Performance: Successful Management Systems and Monitoring Tools in the Middle East LNG Industry
Chuprunov Leveraging SAP GRC in the fight against corruption and fraud
Aboutorabifard Equator Principles and climate change issues: Examining the EPs’ climate change policies and analyzing the likely effectiveness of these policies
Gardner Energy management systems in buildings: The practical lessons

Legal Events

Date Code Title Description
AS Assignment

Owner name: AVVANTICA CONSULTING, LLC, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUTIERREZ, JOHN;SELLERS, BLAKE;REEL/FRAME:017372/0176

Effective date: 20051220

AS Assignment

Owner name: AVALION CONSULTING, LLC, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AVVANTICA CONSULTING, LLC;REEL/FRAME:019351/0941

Effective date: 20070509

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: GRANT THORNTON LLP,ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AVALION CONSULTING, LLC;REEL/FRAME:024468/0662

Effective date: 20100501

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20201104

AS Assignment

Owner name: DEUTSCHE BANK AG NEW YORK BRANCH, AS ADMINISTRATIVE AGENT, NEW YORK

Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:GRANT THORNTON ADVISORS LLC;REEL/FRAME:067592/0443

Effective date: 20240531

AS Assignment

Owner name: GRANT THORNTON ADVISORS LLC, ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GRANT THORNTON LLP;REEL/FRAME:067728/0130

Effective date: 20240530